Malware leveraging public infrastructure like GitHub on the rise
The use of public services as command-and-control (C2) infrastructure isn’t a revolutionary technique for malicious actors. ReversingLabs has observed such behavior in several malware campaigns throughout the last few years. Malware authors occasionally place their samples in services like Dropbox, Google Drive, OneDrive and Discord to host second stage malware ... Read More
IAmReboot: Malicious NuGet packages exploit loophole in MSBuild integrations
ReversingLabs has identified connections between a malicious campaign that was recently discovered and reported by the firm Phylum and several hundred malicious packages published to the NuGet package manager since the beginning of August. The latest discoveries are evidence of what seems to be an ongoing and coordinated campaign. Furthermore, ... Read More
VMConnect supply chain attack continues, evidence points to North Korea
In early August, ReversingLabs identified a malicious supply chain campaign that the research team dubbed “VMConnect.” That campaign consisted of two dozen malicious Python packages posted to the Python Package Index (PyPI) open-source repository. The packages mimicked popular open-source Python tools, including vConnector, a wrapper module for pyVmomi VMware vSphere ... Read More
VMConnect: Malicious PyPI packages imitate popular open source modules
ReversingLabs has identified several malicious Python packages on the Python Package Index (PyPI) open source repository. In all, ReversingLabs researchers uncovered 24 malicious packages imitating three, popular open source Python tools: vConnector, a wrapper module for pyVmomi VMware vSphere bindings; as well as eth-tester, a collection of tools for testing ... Read More
When byte code bites: Who checks the contents of compiled Python files?
During our continuous threat hunting efforts to find malware in open-source repositories, the ReversingLabs team encountered a novel attack that used compiled Python code to evade detection. It may be the first supply chain attack to take advantage of the fact that Python byte code (PYC) files can be directly ... Read More
Red flags flew over software supply chain-compromised 3CX update
ReversingLabs is analyzing a supply chain compromise of the firm 3CX Ltd., a maker of enterprise voice over IP (VOIP) solutions. Beginning on March 22nd, 2023, compromised versions of the 3CXDesktopApp, a desktop client version of the company’s VoIP software, were found to contain malicious code. ... Read More
VS Code hack shows how supply chain attacks can extend to other software development tools
From an information security perspective, 2022 can be called “The Year of Software Supply Chain Attacks.” Malicious actors have shifted their focus to new landscapes. Ten or 20 years ago, malware was piled up and served through services providing pirated content and email spam. Today’s malware has evolved to target ... Read More
SentinelSneak: Malicious PyPI module poses as security software development kit
A malicious Python file found on the PyPI repository adds backdoor and data exfiltration features to what appears to be a legitimate SDK client from SentinelOne ... Read More
SentinelSneak: Malicious PyPI module poses as security software development kit
A malicious Python file found on the PyPI repository adds backdoor and data exfiltration features to what appears to be a legitimate SDK client from SentinelOne ... Read More
W4SP continues to nest in PyPI: Same supply chain attack, different distribution method
Days after researchers for Phylum and Checkmarx revealed an ongoing software supply chain attack spreading the W4SP Stealer malware through malicious packages on the Python Package Index (PyPI), ReversingLabs researchers discovered 10 additional PyPI packages pushing modified versions of W4SP that were overlooked ... Read More
